his section contains two dozen controls that can be applied to the acquisi­tion, valuation, and disposal of fixed assets. Of this group, 13 are consid­ered primary controls and are included in the flowchart in figure “System of Fixed Asset Controls”. The remaining 11 controls either do not fit into the various fixed asset transaction flows or are considered secondary controls that can bolster the primary con­trols as needed.

In essence, the system of controls for an asset acquisition requires that initial funding approval come from the annual budget, as well as additional approval through a formal capital investment form just prior to the actual ac­quisition. There should also be a post installation analysis of how actual project results compared to the estimates shown in the original capital in­vestment form. The key controls used once an asset is installed are to tag it, assign specific responsibility for it, and ensure that any asset transfers are approved by the shipping and receiving managers. Finally, asset disposition controls call for regular disposition reviews to ensure that dispositions occur while assets still retain some resale value, a formal disposition approval process, and proper tracking of any resulting receipts.

System of Fixed Asset Controls

Read the rest of this entry »

The next eight policies are useful for enforcing payroll-related controls. The first five policies are targeted at employees in general, enforcing various rules that reduce the amount of data entry and tracking work by the payroll staff. They are:

1. Hourly employees must submit an approved time sheet by the designated date and time in order to be paid as part of the regular payroll cycle. Though difficult to enforce, this policy puts the burden of time sheet submission on individual employees rather than the payroll staff.
2. The company does not make purchases on behalf of employees. This policy keeps the payroll staff from having to track a series of periodic deductions from employee pay in order to cover the cost of items purchased by the company for employees. From a control perspective, it also eliminates the risk to the company that an employee will leave the company prior to paying back the funds expended for the purchase.
3. The company does not issue advances on company pay. This policy keeps the payroll staff from having to manually enter pay deductions into the payroll system to offset pay advances, thereby reducing the risk that deductions will be incorrectly entered or not entered at all.
4. Employees shall not be allowed to carry forward more than __ hours of vacation and sick time into the next calendar year. This policy ensures that there is no risk of excessive vacation or sick time payouts to a de­parting employee that would otherwise occur through the ongoing ac­cumulation of earned vacation and sick time.
5. All employees shall be paid by direct deposit or payroll card. This policy is useful for switching 100 percent of employees to electronic payments, thereby avoiding several control problems associated with making check or cash payments. Read the rest of this entry »

Many companies do not process their payrolls at all. Instead, they send time­keeping and pay rate information to a third party, who processes the payroll, sends back paychecks to the company for distribution, and remits taxes on behalf of the company. Generally speaking, the use of payroll suppliers re­duces the level of control needed over the payroll process, especially if the company elects to have the supplier make payments to employees with di­rect deposit; by doing so, no controls over the handling of checks are needed.

Read the rest of this entry »

In addition to issuing electronic payments to employees, it is also possible to issue electronic remittance advices and W-2 forms to them. The most com­mon approach is to post this information in PDF format in secure accounts on the Internet. There is no asset control problem with these best practices, since there is no potential loss of assets. However, there is a risk of employee pay information becoming available to anyone who gains access to the on­line accounts. The next control is necessary to mitigate this risk.

• Require user ID and password access to remittance and W-2 accounts. Anyone accessing electronic remittance or W-2 information over the Internet must be required to set up user identification and password in­formation to access the accounts. To lock down access to this informa­tion even more tightly, it may be necessary to require periodic password changes.

[tags]payroll remittance[/tags]

Self-service is becoming relatively common for employees, who can di­rectly access the payroll system and change their address, tax deductions, benefits deductions, and related information. In addition, some companies have separate self-service systems for managers that allow them to enter pay rate changes, termination and hire dates, and similar types of information. Because these systems are based on the concept of switching the payroll staff from data entry work to process monitoring, any controls added to this process should not require manual labor by the payroll staff. Instead, the computerized self-service functions should include these automated controls.

• Install limit checks on pay rate changes. Managers should be allowed a budgeted maximum pay rate change per employee, after which work flow software should route any change request to a higher-level manager for further review.
• E-mail employees with change information. Whenever an employee uses a self-service screen to alter information, the system should send a confirming e-mail message detailing the change. This gives employees the opportunity to spot errors in their entries, while also notifying them if someone else has gained access to the payroll system using their ac­cess codes and has altered their payroll information.
• Notify payroll staff of unauthorized state residencies. If an employee uses the self-service feature to record a state of residence for which the company is not set up to record state income or unemployment tax remittances, the system should notify the payroll staff. The address change should also be rejected until the correct tax identification num­bers have been obtained from the targeted states.
• Require secondary approval or notification of bank account number changes. If an employee has been terminated and another person obtains access to their self-service user ID and password, that person could alter the bank account numbers to which direct deposit pay­ments are being made so that funds are sent to his or her personal ac­counts. By requiring secondary approval of these changes, or at least notification of another person, the risk of such changes occurring is reduced.
• Link termination information to self-service access. If an employee leaves the company, the easiest way to commit fraud is for another em­ployee to continue making payments to that person and to intercept the payments for personal use. To avoid this problem, termination informa­tion from any other system in the company-pension plan, benefits, even building access codes-should be interfaced to the self-service feature and automatically shut down access to it while also notifying the pay­roll department that no further payments should be made, other than a termination payment.

[tags]self service payroll, controls payroll[/tags]

Though many companies still use manual time sheets or punch cards, a va­riety of other computerized timekeeping devices are available, such as clocks equipped with scanners to accommodate employee badges equipped with magnetic, radio frequency identification (RFID), or bar-coded identi­fication tags, Web-based time reporting, Voice over Internet Protocol (VoIP) phones with timekeeping features, and even cell phones with time report­ing functionality. All these systems can be configured to automatically load timekeeping information directly into the computerized payroll computa­tion system.

There is no need for a flowchart to enumerate the controls associated with computerized timekeeping, since the controls only involve the appro­priate use of automated features within the timekeeping systems. The key controls follow.

• Time clock controls clock-in times. A computerized time clock can block out the hours when employees are allowed to clock in or out, thereby keeping them from clocking in for excessive hours or during incorrect shifts. This control requires extra effort to load into the computer sys­tem the exact times during which each employee is authorized to work as well as ongoing maintenance of this information.
• Time clock requires supervisory approval of overtime. A computerized time clock typically categorizes each employee by a specific work pe­riod, so that any hours worked after his or her standard time period will be flagged automatically by the computer for supervisory approval, possibly including a clock-out rejection unless a supervisory approval code is entered on the spot.
• Review time clock reports for irregular entries. A computerized time clock generates a variety of reports that itemize such information as missed punches, late punches, and overtime hours worked. These re­ports are a prime source of control information, and should be exam­ined regularly by supervisors to locate incorrectly reported work hours. Read the rest of this entry »

The preceding control systems were all designed primarily for the receipt of payments made by check. But what if the primary form of payment is cash? Unlike checks, cash is completely untraceable, and so is the preferred asset to steal. Thus, cash handling calls for tighter physical controls. The essen­tial cash receipts process flow is for the initial cash receipt to be stored in a cash register, which is reconciled at the end of each shift; cash is removed at the end of each shift for deposit, after which the bank’s validated deposit slip is reconciled to the company’s original deposit slip. The basic controls are shown in Exhibit 6.10.

The controls noted in the flowchart are described at greater length next, in sequence from the top of the flowchart to the bottom.

• Enter cash in cash register. The primary role of the cash register is to record the amount of cash stored in it, either electronically or on a paper tape, while also providing a moderate level of security over the cash. If there is no cash register, as may be the case in very low-volume cash-handling situations, at least use prenumbered receipts to record the cash.
• Give copy of receipt to customer. When using a cash register, there is a risk that the cash register operator will remove cash and punch in a re­duced cash receipt. To reduce this risk, always require cash register op­erators to give a copy of the receipt to the customer, since customers may review their receipts to ensure that the correct amount of cash was received. As an added inducement, many retail operations offer a free purchase to customers who do not receive a receipt.
• Reconcile cash to cash receipts. At the end of a cash handler’s shift, a different person with no responsibility for cash handling should recon­cile the cash in the cash register to the total of cash received as recorded on the register. Once completed, the person completing the reconcilia­tion should sign and date it, so there is a record that a reconciliation in­deed took place.
• Transport cash in locked container. To reduce the risk of unauthorized access to any cash being transported for deposit, always store it in a locked cash pouch. The most elaborate extension of this concept is to hire an armored truck to transport the cash, which is mandatory for larger quantities of cash.

Read the rest of this entry »

Lockbox truncation is the process of converting a paper check into an elec­tronic deposit. The basic process is to insert a check into a check reader, which scans the magnetic ink characters on the check into a vendor-supplied software package. The software sends this information to a third-party ACH processor, which typically clears payment in one or two days. This approach removes from the typical check-handling process the need for any daily bank deposit, though most other controls involved in the standard process flow noted earlier in Exhibit 6.3 are still required. The modified process flow is shown in Exhibit 1.

The principal control addition in the exhibit is that the cashier should ver­ify that the lockbox truncation report printed by the lockbox truncation soft­ware matches the checks just entered into the system and then should initial the report to indicate that this control has been completed. This is a simple error-correction control. Also, since the truncation report replaces the de­posit slip, the truncation report is filed instead of the validated deposit slip. Read the rest of this entry »

A lockbox is essentially a separate mailbox to which deposits are sent by customers. The company’s bank opens all mail arriving at the lockbox, de­posits all checks at once, copies the checks, and forwards all check copies and anything else contained in customer remittances to the company. The bank may also scan the checks and post them online for immediate view­ing by the company. This approach has the advantage of accelerating the flow of cash into a company’s bank account, since the lockbox system typ­ically reduces the mail float customers enjoy by at least a day while also eliminating all of the transaction-processing time that a company would also need during its internal cash-processing steps.

The number of controls needed in a lockbox environment is consider­ably reduced, since there is no cash on the corporate premises. The reduced set of controls is shown in Exhibit 1. In this revised system, the cashier ac­cesses check images over the Internet or obtains this information from the remittances advices forwarded to the company by the bank. In either case, the cashier logs the receipts into the cash receipts journal, while the receiv­ables clerk verifies that all receipts were correctly logged in to the computer system.

The controls noted in the flowchart are described at greater length next, in sequence from the top of the flowchart to the bottom. Read the rest of this entry »

The first two of the next four policies relate directly to the act of issuing an invoice or credit memo, while the third and fourth policies assist in adopt­ing consistent revenue recognition practices that are tied to billings. The adoption of these policies assists in enforcing various control systems de­scribed in this chapter. The policies follow.

1. All invoices must be issued within one day of shipment or completion of service delivery. This policy is designed to accelerate cash flow by avoiding billing delays. It also impacts the speed of the month-end closing, since billing is typically a significant bottleneck in the closing process.
2. Credit memos require prior supervisory approval. This policy prevents employees in the collections area from fraudulently intercepting cus­tomer payments and then offsetting the related invoices with credit memos.
3. The company shall not use bill and hold transactions. Though bill and hold transactions are allowable under clearly defined and closely re­stricted circumstances, they are subject to abuse and so generally should be avoided. If used, the form shown in Exhibit 1 can be used to doc­ument customer approval of the method. Read the rest of this entry »